If the browsers in question don't correctly implement all necessary standards to guard against XSS, frame-busting, and MITM attacks, Google will do what it can to protect its users against foot-shooting.
Changing the UA is equivalent to "voiding the warranty," so I'm not surprised Google isn't taking extraordinary measures. At some point, if your users really want to shoot their feet, there's only but so much you can do to stop them.
If a browser doesn't implement the standards to guard against MITM attacks, what makes you think it implements the standards to guard against user-agent manipulation during the MITM attack?
You've misunderstood what I'm getting at here. It's not the user that's going to purposefully change their agent -- it's that a browser that is insecure to the point that you can't trust it to log in is also insecure to the point that you can't trust its user agent to be reported correctly.
The entire security exercise is pointless because compromised browsers lie. They don't respect user preferences. An attacker who intercepts and modifies a request isn't going to suddenly start being honest with you when you ask what browser that request came from.
No, User-Agent is no longer a forbidden header for Javascript fetch requests[0].
To be fair, both Chrome and Firefox have outstanding bugs where they haven't yet implemented the correct specs. But there is no reason to assume that a spec-compliant browser will block Javascript from setting the User Agent for a request. It's likely to allow it, because allowing it is the correct behavior.
Even if it wasn't the correct behavior, it's silly to assume that a browser that doesn't implement XSS protection is suddenly going to get good security when it comes to implementing UA freezing in request headers. I don't think there's a world where a browser maintainer says, "it's too much work for me to respect CORS, but I really want to make sure I'm following this obscure forbidden headers list".
Changing the UA is equivalent to "voiding the warranty," so I'm not surprised Google isn't taking extraordinary measures. At some point, if your users really want to shoot their feet, there's only but so much you can do to stop them.